STUTTGART, Germany – NATO is moving into 2022 determined to increase its cyber defense posture, investing in new capabilities, refreshing its policies, and learning from recent exercises to do so.
Coming off the heels of the most recent flagship exercise – Cyber Coalition 2021, held in-person in Tallinn, Estonia – alliance officials are focused on ensuring that networks, people, and resources are as protected as possible, several leaders said at a media day held Dec. 6.
“We have to evolve, we have to progress, we have to increase our level in defending these networks,” said Gen. Philippe Lavigne, NATO’s Supreme Allied Commander Transformation since September 2021.
The alliance has a multi-pronged approach to boost its cyber defenses via modernized and refreshed capability investments, new policies and strategic concepts, and by strengthening information sharing and situational awareness between its 30 member nations.
NATO plans to spend several hundred million euros on cyber defense capabilities over the next few years, said Ian West, chief of the NATO Cyber Security Center in Mons, Belgium.
Those funds will be spent both on refreshing existing equipment – “a constant need” – and to modernize NATO’s capabilities, he said during the media day.
Industry will continue to be involved in these investments, he noted. “I don’t think that we’ll ever not need industry, and I can’t think of anything that they’re not involved with.”
NATO recently announced several efforts meant to help the alliance work more closely with private-sector entities on a host of critical technologies, to include cybersecurity. These include the Defense Innovation Accelerator of the North Atlantic (DIANA), and an innovation fund to support the development of dual-use technologies.
Member-nations will invest up to €1 billion ($1.16 billion) into the fund, said David van Weel, NATO’s assistant secretary-general for emerging security challenges, at the media day.
In addition to new funding, NATO plans to merge its two major cybersecurity conferences into a new forum, dubbed NATO Edge and to be held next fall, likely in Mons. The NATO Communication and Information Agency’s NITEC Connect industry conference will combine with the NATO Information Assurance Symposium (NIAS) to form the new conference, West said. “I can’t tell you how much I’m looking forward to actually being in-person with our community again,” he added.
Policy changes
On the policy side, the alliance approved a new cyber defense document in June at its Brussels summit, and cybersecurity will feature prominently in a forthcoming strategic concept paper, to be formalized at the 2022 NATO Summit next June in Madrid.
The last strategic concept, released in 2010, featured about a paragraph on cybersecurity, “with a few mentions elsewhere in the document,” said David Cattler, assistant secretary general for joint intelligence and security.
While the 2010 document was “prescient” in its assessment of the types of cyber threats that NATO would face over the next decade, “It’s clear that we now need more emphasis on cyber,” he said during the media day.
The June cyber defense document reflected the alliance’s assertion that “Cyber is a domain that is always on,” van Weel said.
“Allies continue to build on the cyber defense pledge that they adopted in 2016,” he continued. “This is about 30 allies working together and alongside partners, to enhance their resilience, and to learn from each other in the process.”
Setting a new threshold for Article V triggers
The new NATO cyber policy released in June also affirms the alliance’s decision to consider that certain “lower-level” malicious cyber attacks by the same threat actor can be as destructive as a single, large-scale cyber attack, and could, at least in theory, trigger the treaty’s Article V collective defense mechanism.
“We see that a lot of activity, ongoing activity below that threshold of one single large attack, can actually have the same strategic conflict implications or more,” van Weel explained. “It’s about not limiting our options to just waiting for a massive attack. It’s about recognizing that what happens below that threshold of a massive attack is worthy of our attention.”
Whether Article V is triggered or not has been and remains a decision made on a case-by-case basis, and should be seen as an added deterrent for potential threat actors, he noted. “The new policy … that’s not escalating. That is just stating clearly how we see the field.”
New and ongoing cyber threats
Interconnectivity will prove critical to the alliance into the 2030s, Cattler noted. But adversaries are now working hard to turn that asset into an operational weakness. As NATO’s network grows – as it gains more and more users and shifts increasingly to remote operation – the alliance is “increasing the threat surface,” and seeing more “below-the-threshold” attacks that are trickier to attribute, Cattler said.
In the near term, NATO is watching for cyber threats including malware attacks on critical infrastructure as well as Internet-of-Things (IoT) devices, password spraying, intentional and accidental insider threats, and the emergence of “ransomware-as-a-service” – where a threat actor could offer to sell or rent out their entire platform for others to use for ransomware attacks. There is “increasingly a businesslike approach to [cyber] operations,” Cattler noted.
That being said, the alliance has not recently seen “an increase” in insider threat attacks, but it is a “constant” menace, West said. “We always take measures to control what our users can do on a network, … but we don’t see an increase in that particular threat,” he said.
Lessons learned from Cyber Coalition 2021
The 2021 edition of NATO’s flagship Cyber Coalition exercise was recently held in person in Tallinn, after the 2020 event had to be held virtually due to COVID-19. Exercise Director Graeme Rook lauded the fact that the alliance held a “major, physical, high-profile exercise during the pandemic,” which included over 1000 participants from over 30 nations.
The goal of Cyber Coalition is to improve collaboration between NATO allies and partners in the cyberspace domain, and hone the ability to conduct cyberspace operations for military and civilian entities, he said at the media day. The exercise also helps NATO identify capability gaps, practice requirements, and validate new procedures for future use, capability development, and training.
Ninety-six percent of the participants were on the ground in Tallinn, while 4 percent operated out of NATO offices in The Hague, Netherlands, “to practice business continuity,” Rook said. Reflecting on the outcome of 2021 versus 2020, he noted, “virtually, you don’t get the same fidelity of questions; you don’t get the same buy-in.”
Twenty-six member nations participated, along with four NATO partners – Sweden, Finland, Switzerland, and Ireland – as well as South Korea, Japan, and Ukraine, he said. The coalition exercise involved five fictional storylines that spanned the potential threat arena, from a ransomware attack seeking to disrupt vaccine rollouts; to a supply chain compromise; to a paper exercise involving the compromising of a nation’s surveillance drone.
NATO used Estonia’s cyber range at the Training Center CR14 for three out of five storylines, up from one in previous years, Rook noted. “We are accelerating our input into warfare capability,” he said.
In tandem with the storylines, an experimentation team developed an automated tool to gather and siphon information for more rapid decision-making, and reduce the need for manual threat analysis, he said.
“That was successfully demonstrated at Cyber Coalition, and now we’re going through validation [and] quality control,” Rook said, adding that once those checks are complete, that tool will be rolled out to the NATO Cyber Operations Center.
Still playing defense, not offense
For all of the renewed and novel investments going into NATO’s cybersecurity portfolios, the officials emphasized that the alliance will continue to operate defensively, and is not looking at offensive cyber capabilities.
“Allies have offered their cyber capabilities in a crisis, but offensive cyber is not something that NATO itself does,” van Weel said.
Vivienne Machi is a reporter based in Stuttgart, Germany, contributing to Defense News' European coverage. She previously reported for National Defense Magazine, Defense Daily, Via Satellite, Foreign Policy and the Dayton Daily News. She was named the Defence Media Awards' best young defense journalist in 2020.